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Quantum cryptography is reviewed, first using entangle- 
ment both for the intuition and for the experimental realiza- 
tions. Next, the implementation is simplified in several steps 
until it becomes practical. At this point entanglement has 
disappeared. This method can be seen as a lesson of Applied 
Physics. Finally, security issues, e.g. photon number splitting 
attacks, and counter-measures are discussed. 

I. INTRODUCTION 

Quantum cryptography is a beautiful idea! It covers 
aspects from fundamental quantum physics to Applied 
Physics via classical and quantum information theories 
[1]. During the last ten years, quantum cryptography 
progressed tremendously, in all directions: from mathe- 
matical security proofs of idealized scenarii to commercial 
prototypes. In these proceedings we review the intuition, 
the experimental progress in optical fibers implementa- 
tions and some security aspects, each viewed first with 
entanglement, and then without. Undoubtedly, quantum 
cryptography is intellectually more fascinating and con- 
ceptually easier with entanglement, but much more prac- 
tical without it. Hence both aspects, with and without 
entanglement, are equally beautiful! 

The next section presents the intuition behind quan- 
tum cryptography. Section III can be seen as a lesson in 
Applied Physics: how to simplify a theorist's implemen- 
tation of a nice idea until it is practical, while keeping the 
essential. This shows that Applied Physics requires a lot 
of imagination and a deep understanding of the essential 
physical ingredients. Finally, section IV reviews some 
security issues: coherent and individual eavesdropping, 
Trojan horse attacks, photon number splitting attacks 
and means to limit their efficiency. 

II. INTUITIONS 

A. Key distribution 

The general scenario for key distribution, whether clas- 
sical or quantum, goes as follows. Alice and Bob, the hon- 
est parties, hold many realizations of random variables 
X and Y respectively. The adversary, Eve, holds realiza- 
tions of a third random variable Z. Hence the scenario is 
described by a joint probability distribution P(X, Y, Z) 
[2] . Intuitively it is clear that if X and Y are strongly 
correlated (e.g. almost identical) and furthermore, if Z 
is essentially uncorrelated, then Alice and Bob can use a 



public communication channel to distil secret bits. This 
intuition is made precise in the following theorem. The 
useful measure of correlation here is the mutual Shannon 
information. 

Theorem [3] For a given P{X, Y, Z), Alice and Bob 
can establish a secret key (using only error correc- 
tion and classical privacy amplification) if and only 
if I(X,Y) > xmn{I(X,Z),I(Y,Z)}, where I(X,Y) = 
H(X) — H(X\Y) denotes the mutual information and 
H is the Shannon entropy. 

Note that by definition privacy amplification uses only 
1-way communication. If Alice and Bob use 2-way com- 
munication, the situation is more complex [4-6]. But 
these 2-way protocols are so inefficient that in practice 
they are always ignored. 

B. Quantum key distribution with entanglement 

Let us assume that the random variables X, Y and 
Z introduced above result from quantum measurements 
that Alice, Bob and Eve perform on a quantum state 
ipABE- It is clear for the quantum physicists, that if the 
partial state pab shared by Alice and Bob is close to max- 
imally entangled, then Eve is "factorized out", i.e. is un- 
correlated. This is because a maximally entangled state 
is a pure state pab ~ \'4>ab){4'ab\- i hence the global state 
has to be close to a product state: ipABE ~ ipAB <8 4>e- 
If one understands entanglement, more precisely, if one 
is familiar with the algebra of tensor products, then the 
reason why quantum key distribution with entanglement 
is secure becomes very intuitive! 

C. Quantum key distribution without entanglement 

Assume now that Alice and Bob do not share an entan- 
gled state, but - following the original idea [7] - that Alice 
sends individual quanta to Bob (when the quanta are de- 
scribed by a 2-dimensional Hilbert space, one speaks of 
qubits). Alice and Bob use two (or more) incompatible 
bases to prepare and measure each quanta. Because of 
the use of incompatible bases, there is no way for Eve to 
make copies of the flying quanta. Indeed, the no-cloning 
theorem guarantees that there is no way to copy an un- 
known quanta without perturbing its state [8] . Thus Al- 
ice and Bob can check for the presence of an adversary, 
Eve, by comparing a sample of their data: if the data 
is perfectly correlated, then Eve did not try to copy it 
and the remaining data is safe. Each time Alice and Bob 



1 



happen to have used the same basis, their data provides 
them with a secret bit. 

This view of QKD without entanglement can be based 
on different aspects of quantum physics, like Heisenberg's 
uncertainty relation or that quantum measurements per- 
turb the system. But in the end all these are based on the 
linearities of quantum kinematics (the Hilbert space) and 
dynamics (Schrodinger's equation). And this linearity is 
also the basis for entanglement, which appears when one 
introduces linear combinations of product states. Hence, 
intuitively one feels that both QKD schemes are closely 
related. 



III. EXPERIMENTS: A LESSON IN APPLIED 
PHYSICS 

The first choice when thinking about an experimen- 
tal realization of QKD concerns the degree of freedom 
used for encoding the qubit. Indeed, if one goes for op- 
tical fibers, then the system is imposed: telecom pho- 
tons. A first possible choice would be polarization. Un- 
fortunately this is a quite unstable degree of freedom: 
actual fibers have some birefringence (different polariza- 
tion modes travel at different speeds), moreover the po- 
larization modes suffer from random polarization mode 
coupling [9]. And if the fiber is hanging between posts, 
the situation is even worse: Berry phase would be ran- 
dom, leading to fast (ms) random polarization fluctua- 
tions [10]. Hence, better choices should be envisaged. 
In Geneva, we chose time-bin qubits [11]. The idea is 
depicted in Fig. 1. Each photon is brought into a su- 
perposition of two time-bins, an early and a delayed one. 
The probability amplitudes of each time-bin and their 
relative phase allow one to prepare any possible qubit 
state. Also any possible projective measurement can be 
realized using a similar interferometer shown on the right 
hand side of Fig 1 . 
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FIG. 1. Time-bin qubits. After Alice's interferometer the 
photon is brought into a superposition of the two time-bins 
(early and late) corresponding to the two arms of the interfer- 
ometer (short and long). The logical values (1) is attributed 
to early (late). Note that by tuning their respective phases 
and coupling ratios, Alice can prepare any qubit state and Bob 
can perform a measurement in any qubit basis. The switch al- 
lows in principle the state preparation and the measurement 
without losses. In practice however one often replaces the 
switch by a 50-50 coupler and uses postselection. 



In the following sub-sections we review step by step 
simplifications of the theorist's implementation of QKD. 



A. Basic experiment with entangled time-bin qubits 
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FIG. 2. Quantum cryptography with entangled time-bin 
qubits. The source sends a pulse at time to- The detection 
on Alice's (Bob's) side occurs at time £a (is). 



The configuration presented in Fig. 2 is close to Ek- 
ert's original proposal [12], but uses time-bin qubits in- 
stead of polarization. The source at the center contains a 
non-linear crystal in which a pump photon spontaneously 
splits into two twin photons. Energy conservation guar- 
antees that the twins' energies (i.e the optical frequen- 
cies) add up to the well defined energy of the pump pho- 
ton, although each of the twin photon has itself an uncer- 
tain energy, uncertain in the usual quantum mechanical 
sense. The pump photon is part of a large classical pulse, 
about 500 ps long. Since the probability of " splitting" , 
i.e. of spontaneous parametric downconversion, is low 
(typically lO" 10 , up to 10"6 in PPLN waveguides [13]), 
the pulse energy can be adjusted such that the proba- 
bility that a pair of twin photons is generated is around 
10%. In order to produce entangled time-bin qubits, the 
pump pulse passes through an unbalanced interferome- 
ter, where the imbalance is much longer than the pulse 
duration. Alice and Bob both use the standard time-bin 
qubit analyzer presented in Fig. 1. They fix the phases 
(relative to the pump interferometer) of their interfer- 
ometers such that the two twin photons always emerge 
at the same output port, hence their detectors clicks are 
perfectly correlated. For a second, incompatible, basis 
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Alice and Bob could use different phase settings. But 
a first simplification can immediately be implemented. 
They replace the switch of their measuring interferom- 
eter by a much simpler and less lossy fiber optical cou- 
pler. Hence, Alice and Bob can also detect photons at an 
earlier or at a later time: earlier if the pump and their 
twin photons passed through the short arms of the in- 
terferometers, later if they both travelled the long way. 
Consequently, whenever Alice and Bob both detect their 
twin photon in the lateral peaks (i.e. early or late), then 
they both definitely have the same detection time: either 
both early or both late. And if Alice and Bob both detect 
their twin photon in the central time-bin, then they def- 
initely have a click in the same detector (assuming their 
phases are fixed at a = /3 = 0). The first case uses the 
time-basis, the second the frequency-basis (see Fig. 3). 

Alice Bob 



Perfect correletion in the frequency domain 




Perfect correletion in the time domain 



FIG. 3. Time and frequency correletions 



A first simplification of the previous scheme consists in 
suppressing the pump interferometer and replacing the 
pulsed laser by a continuous pump laser, see Fig. 4. If 
the coherence length of this cw pump laser is larger than 
the imbalance of Alice and Bob's interferometers, then 2- 
photon interference can still be observed. Indeed, when 
Alice and Bob post-select coincidence detections, then 
there are two possibilities: either both photons passed 
through the short arm of both interferometers, or both 
passed through the long arm. Since the pump laser's 
coherence is large, these two possibilities are indistin- 
guishable. Hence, according to quantum mechanics, one 
should add the probability amplitudes and observe in- 
terference. In this configuration Alice and Bob need to 
randomly choose the settings of their phase modulators: 
0, 90, 180 and 270 degrees, let's say. Whenever they hap- 
pen to use settings corresponding to a phase difference 
multiple of 180°, then their detectors always fire together. 

This is a nice configuration, but admittedly more 
suited for tests of Bell inequality (i.e. of quantum 
non-locality) than for a practical quantum cryptography 
setup. Actually, this configuration has been proposed in 
1989 by J. Franson on the context of quantum nonlocal- 
ity and is called a Franson interferometer [15]. This is 
the configuration we used in 1997 for our long distance 
Bell test over 18km in optical fibers (10km in straight 
line) [16]. 

C. Somewhat simpler 



Conceptually this is quite elegant. It has even been 
realized in our lab [14], and recent results show that it is 
feasible over a significant distance. But this configuration 
is not very practical: there are three interferometers to 
align and stabilize, and the polarization of the three pho- 
tons has to be kept under control. Hence, let's simplify 
this! 



B. First simplification: energy-time entanglement 
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FIG. 4. First simplification. A continuous wave (cw) 
source can replace the pump interferometer. 



The next step notices that there is no need to put the 
source at the middle, half-way between Alice and Bob. 
The middle position is merely elegant. But it is more 
practical to put the source on one side, let's say Alice's 
side. Notice that Alice doesn't become the sender of 
the quantum key: the key results eventually from inde- 
pendent random choices made by both partners and by 
Nature, there is nothing like a quantum key sender. But 
now, only one photon must travel a long distance. Hence, 
the photon that stays on Alice's side can be chosen at a 
more convenient wavelength for efficient detection, that 
is at a wavelength where silicium APDs are available, 
i.e. below 1 /i, around 800 nm. This configuration, with 
some additional nice tricks, was demonstrated in 2001 by 
G. Ribordy [17], who founded id Quantique a few years 
later, the first company to propose a quantum cryptogra- 
phy setup [18]. His experiment was the first one targeting 
primarily quantum cryptography with entangled photons 
- all other experiments, including ours, where tailored for 
Bell tests and merely adapted to fashion. Ribordy's ex- 
periment still holds the distance record of QKD using 
entangled photons. But admittedly, is not yet that prac- 
tical since two photons must be detected. Hence, let's 
make it simpler! 
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D. The first main step towards a practical system 
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FIG. 5. The source can be moved on the other side of Al- 
ice's interferometer. 



The first step towards a really practical system con- 
sists in moving the photon source to the other side of 
Alice's interferometer. At first this may look like a com- 
plete change, but it really isn't! Let's first use formulas. 
Whenever a unitary operator U acts on one subsystem 
of a maximally entangled pair state $( + ), then the same 
effect can be obtained by acting with a related unitary 
operator on the other subsystems: 



U® = l<g>[/*$ (+) 



(1) 



where TP denotes the transpose. 

This formula applied to our case simply tells us that for 
Alice's interferometer, the long arm with a central source 
is equivalent to the short arm with a source moved to the 
left of the interferometer, as shown in Fig. 5. Now the 
interference results from the indistinguishability of the 
following two paths: short-long and long-short, where 
the first term applies to the path in Alice's interferometer 
and the second to the path in Bob's interferometer. The 
significant simplification follows quite naturally. Since 
the photon travelling to the left on Fig. 5 is actually not 
used, or only as a trigger, one may as well use a single 
photon source. Well, that is even less practical, at least 
as long as single photon sources at telecom wavelength 
do not exists. But now one can also use the much more 
practical pseudo-single photon sources. These sources are 
simply very attenuated telecom laser pulses, such that 
the mean photon number per pulse is only of the order 
of 0.1. Hence the probability that a pulse contains two 
photons is almost negligible (in section III we come back 
to the issue of multi-photon pulses). Attenuating a laser 
pulse that low is not trivial, but still much simpler and 
much more stable, which is very important, than twin- 
photon sources. 

This configuration presented in Fig. 5 was first used 
by Paul Townsend, then at BT, and John Rarity, then 
at DERA [19], and is still developed at Los Alamos Na- 
tional Laboratories, USA, in the group of Richard Hughes 
[20]. But looking at Fig. 5 one still sees two interferome- 
ters that need to be stabilized: the difference long-short 
has to be the same for both interferometers. And since 
this scheme relies on interferences, the polarization of 



the pseudo-single photons must be controlled. All this re- 
quires active feedback, which is not impossible to achieve, 
but not yet entirely practical. So let's simplify it further! 



E. A practical setup: the Plug & Play configuration 
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FIG. 6. Plug & Play setup [23,24]. 



The next step realizes that there is no need for two 
interferometers, one is enough (see Fig. 6). But then 
the pulse must travel go-&-return, using a mirror as in- 
dicated on the figure. The indistinguishable paths are 
still short-long and long-short, but now referring to the 
paths during the go and the return propagations. Notice 
that in this scheme the role of Alice and Bob are in- 
verted: Bob chooses one among four phase settings and 
Alice chooses a measurement basis. A serious drawback 
is that the photons must travel twice the distance, hence 
suffer from twice the loss. But this can be circumvented. 
Actually it is only on the return flight that the pulse has 
to be attenuated down to the pseudo-single photon level. 
Consequently, a bright pulse is sent out, attenuated by 
Bob and reflected to Alice. Notice that since there is 
now only a single interferometer, there is no longer any 
need to align it! All that is needed is that it remains 
stable during the time of a go-&-return, i.e. a few micro- 
seconds. But there remains the polarization. Here again 
there is an elegant solution, first suggested in a different 
context by Martinelli [21]. It consists of using a Faraday 
mirror. The details can be found in [21,1]. Essentially 
such mirrors act on polarization like a phase conjugating 
mirror acts on phase. The net result is that when a light 
pulse arrives back on Alice's side, it is in a fixed polariza- 
tion state, independent of all the polarization fluctuation 
light underwent during propagation: all the fluctuations 
where undone during the return journey. Faraday mir- 
rors use the non-reciprocal Faraday effect, the same effect 
used in isolators and in circulators. Hence the telecom 
industry has developed this technology to a remarkable 
point and Faraday mirrors can readily be bought [22]. 

A further simplification comes from the fact that a 
Faraday mirror exchanges vertical and horizontal polar- 
ization. Hence, replacing the output coupler of Alice's in- 
terferometer by a polarization beam splitter guarantees 
that a photon that passed through the long arm when 
emitted, will return via the short arm, and vice-versa. 
Consequently, Alice doesn't need to post-select the cases 
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where the photon arrives in the correct time-bin since all 
detected photons arrive at the correct time. 

When this setup was first tested using classical light 
(i.e. without the attenuator), experimentalists in Geneva 
were very pleased to measure visibilities up to V — 
99.8%, without much effort, even over tens of km! 
Accordingly this configuration was named Plug-&-Play 
[23]. Using this setup for QKD, the noise (QBER) is 
largely dominated by the detector noise: QBER opt i ca i = 
i±^«l%. 

The Plug & Play configuration has been demonstrated 
in a QKD experiment between Geneva and Lausanne over 
a distance of 67km using the swiss telecom network, with 
terrestrial and with a cable under lake Geneva [24] (see 
also [25]). This experiment received quite a lot of atten- 
tion. But actually, another experiment presented in the 
same paper deserves probably more attention. It used 
aerial cables and was done in mountains near Geneva. 
This clearly demonstrated the very high stability of the 
Plug & Play configuration. Indeed, it would be almost 
impossible to demonstrate QKD with any of the previ- 
ously discussed configurations using aerial cables! 

IV. SECURITY 

A. Security proofs based on entanglement 

The most general proofs of security, often termed a la 
Shor-Preskill, are quite surprising [26]. Following ideas 
by Mayer [27], Lo and Chau [28] and the development of 
quantum error codes, these proofs essentially show that 
from Alice and Bob's points of view everything is as if 
they had used close to maximally entangled states, al- 
though they actually did use a scheme without entangle- 
ment. More details can be found in I. Chuang's contribu- 
tion to these proceedings. Let us simply emphasize that 
it is still not known whether Eve can in principle reach 
these bounds, or whether these bounds are sub-optimal. 
From a practical point of view this is a pity, since we do 
not know whether we do really need to sacrifice qubits 
to these bounds or could use the more optimistic bound 
summarized in the next sub-section. 



B. Security proofs without entanglement 

The proofs in this subsection do not consider the most 
general attack, but only what is called the individual, or 
incoherent attack. Actually, these proofs also treat the 
case of finite- coherent attacks, hence let us concentrate 
on the later. All the security proofs are valid only in 
the limit of arbitrarily long keys. If not, the statistical 
arguments wouldn't apply. Now, let's assume that Eve 
can attack several qubits in a coherent way, i.e. she can 
coherently let auxiliary systems under her control inter- 
act (unitarily of course) with the flying qubits. Assume 



that Eve can do this up to a maximum number of N 
qubits. We call this finite-coherent attacks. If Alice and 
Bob use key lengths much longer than N, then Eve is in 
the same situation as if she would be limited to individ- 
ual attacks (one auxiliary system per qubit). Hence, the 
proofs "without entanglement" are valid for all senarii 
except if Eve can attack coherently an unlimited number 
of qubits - a conceptually interesting scenario, but hard 
to take seriously for the practical physicist. 

In 1997 Fuchs et al. [31] presented the optimal individ- 
ual attack, see also [32]. Since then it has been general- 
ized to more than two bases [33] and to higher dimensions 
[34]. By now, the BB84 case is well known. The main 
results are summarized in Fig. 7. 




FIG. 7. The Shannon mutual information as a function of 
the QBER for the BB84 protocol. It is still not known if the 
Shor-Preskill bound (QBER~11 %) can be saturated or not. 
The bound for invidual attacks (QBER~15%) is known to be 
optimal. 



C. Trojan horse attacks and technological loopholes 

As shown in Fig. 6 the configuration opens a new possi- 
ble attack for Eve, the so-called Trojan horse attack. Eve 
could send into Bob's apparatus a bright laser pulse to 
sense the phase modulator's setting. This illustrates that 
for every simplification step one has to carefully check the 
security of the configuration. In the present case there is 
a simple way to avoid Trojan horse attacks. Bob adds a 
coupler taking out a large fraction (typically 90%) of the 
light at his apparatus input. This coupler can be con- 
sidered as part of the attenuator shown in Fig. 6. The 
extracted light is directed onto a standard detector that 
monitors the energy of each incoming pulse. Addition- 
ally this detector is very useful for the synchronization 
of the phase modulator. Eve could now use a different 
wavelength at which either the coupler or the detector is 
inefficient. To avoid this Bob has to use a filter which 
blocks all unwanted wavelengths. This discussion could 
be extended more or less for ever. Let us emphasize 
two important points. First, this is not specific to the 
Plug-&-Play configuration, every real optical component 
has some imperfection, in particular they do all reflect 
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some light. Hence Eve could always try to send a sens- 
ing pulse and Alice and Bob should always have warning 
detectors and protecting filters. The second point is that 
this brief discussion illustrates the limit of mathemati- 
cal proofs of security. Indeed, such proofs have either 
to assume perfect components, or components with pre- 
cisely defined defects. In practice a central issue is how 
to make sure that an actual prototype satisfies the as- 
sumptions of a mathematical theorem? In this respect, 
it should be mentioned that when we made the simplifi- 
cation from a 2-photon to a 1-photon configurations, wc 
lost the possibility of using the violation of Bell's inequal- 
ity as a signature of quantumncss (i.e. if the correlation 
measured by Alice and Bob violate some Bell inequal- 
ity, then they definitely share an entanglement preserving 
quantum channel). Using Bell inequalities in this sense 
is a very nice idea [29]. However the detection efficiency 
loophole that affects all optical tests of Bell inequality 
renders this kind of control infcasible with near future 
technology [30]. Note also that a violation of a Bell in- 
equality could not detect a Trojan horse type of attack. 

D. What is secure? 

Since there is some controversy on this, let us ask 
"what is secure in QKD?". It is clear that Eve should 
not have access to Alice nor to Bob's electronics. Indeed, 
there the information is classical and Eve could merely 
copy it. On the contrary, the quantum channel, i.e. the 
optical fiber, is secure thanks to quantum physics. But 
now comes an old question in a new context: where does 
the quantum/classical transition happen? As long as the 
information is quantum, the no-cloning theorem applies. 
As soon as it is classical, security is lost (i.e. must be 
guaranteed by other means). Surprisingly to us, many 
physicists (mainly theorists) consider the detector on the 
quantum side. This is of course a simple way to be on 
the safe side [35]. But it implies a very significant waste 
of qubits. It seems really hard to imagine Eve modifying 
Bob's detector's dark count probability from a distance. 
And if we give her this capability, why not also give her 
the power to change Alice's source from a distance? Let's 
say that quantum cryptography offers "only" secure key 
distribution over a quantum channel, assuming the hard- 
ware on both sides are secured by classical means. 

There remains though an issue. Eve could modify the 
apparent detection efficiency of Bob's detector by sending 
brighter pulses. This is clearly feasible and Bob thus has 
to continuously monitor the coincidence rate between his 
detectors. If this coincidence rate exceeds the threshold 
corresponding to accidentals (due mainly to dark counts), 
then he should interrupt the protocol. 



E. Multi-photon pulses: problem and solutions 

Another potential security loophole comes from the 
cases where the pseudo-single photon source actually pro- 
duces more than one photon. These events being rare one 
may think that they are negligible. However, if the losses 
on the quantum channel are high, e.g. the fiber is long, 
then the cases where the desired photon makes it to Bob 
are also rare. Hence Eve could perform the following at- 
tack [36]. Directly at the exit of Alice's office, Eve counts 
the number of photons in each pulse, without perturbing 
the degree of freedom used to encode the qubit, i.e. Eve 
performs quantum nondemolition measurements on each 
pulse (this is total science fiction with today's technol- 
ogy, but if one assumes that Eve is limited only by the 
laws of physics, she could do so). Next, Eve blocks all 
single-photon pulses. Whenever a pulse contains 2 or 
more photons, she keeps one and sends the others to Bob 
through a perfect channel, or even better she teleports 
them to Bob. If the fraction of pulses Eve blocks bal- 
anced the fraction of pulses that would have got lost in 
normal operation, then Bob notices no difference. But 
now Eve holds a copy of the qubits. The main point is 
that she didn't need to make any copy, Alice unwillingly 
offered her some. 

Of course, once the attack was performed, Eve has to 
conserve her photons, waiting for the basis reconciliation, 
when Alice publicly announces which basis she used to 
encode each qubit. Thus Eve clearly needs a quantum 
memory, which again is far from today's technology but 
could in principle be designed. 

A first way around such PNS (Photon Number Split- 
ting) attack consists of using sources producing sub- 
poissonian light. Indeed in such sources, the probability 
of 2-photon pulses is reduced compared to a poissonian 
light source like a laser, for the same probability of a 
1-photon pulse. Such sources are often named single- 
photon sources and are an active field of research [37]. 

Another approach realizes that the weakness of the 
BB84 protocol against PNS attacks is that whenever Eve 
holds a copy, she has full information about the quantum 
state. But then, why not replace in the protocol the bases 
by sets of non-orthogonal states [39]. Remember that 
unambiguous discrimination of non orthogonal states is 
possible, but at the cost of some inconclusive results [38]. 
So even when Eve has a perfect copy of the state she can- 
not find out what the bit is with certainty. A particularly 
simple example of such new protocols uses precisely the 
same states and measurements as in the BB84 protocol, 
but the sifting procedure differs [40]. This protocol is 
called SARG and is described in Fig. 8 
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FIG. 8. The SARG protocol. The hardware is exactly the 
same as for the well known BB84 protocol. The only differ- 
ence is in the sifting procedure. To exchange a secret bit Alice 
and Bob proceed as follows. Alice prepares one of the 4 states 
shown above, say | + x) . Then she announces to Bob a set of 
two non- orthogonal states containing the state she actually 
prepared, for example {| + x), | + y}}- Whenever Bob mea- 
sures in the x basis (the correct basis), he always finds | + x) 
and cannot conclude anything. But when Bob measures in 
the y (the wrong basis) he finds | — y) half of the time. In 
these cases he concludes that Alice prepared the state | + x) . 
The PNS attack is much less effective for this protocol than 
for the BB84, since Eve has to distinguish between two non 
orthogonal states. The probability of success of such a mea- 
surement is p — 1 — 7 ~ 0.29, where 7 = ± y) — 
since we used two maximally conjugated basis. 



Though PNS attacks seem completely unrealistic with 
today's technology, it is nice to see that new protocols 
can still be devised, inspired by practical considerations. 
In this respect, see also Ph. Grangier's contribution to 
these proceedings. 

V. CONCLUSION 

Quantum cryptography is a beautiful idea! It is also 
an excellent teaching tool, encompassing basic quantum 
physics (no-cloning theorem, entanglement) and Applied 
Physics (telecom engineering). It also involves a signifi- 
cant part of classical and of quantum information theory. 
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